Never mind the cyber doomsday predictions of artificial intelligence ravaging the world as we know it. Now you can add a future quantum computer-powered cyberattack to the list of technologies-gone-wrong that experts warn could decimate the U.S. economy and trigger another Great Depression.
For years experts have warned of the dangers of a quantum attack, which would have the power to unlock encryption algorithms and expose protected data such as banking records. Now a fresh analysis of a quantum cyberattack against the U.S. financial sector estimates the cost to the U.S. economy at $3.3 trillion, according to think tank the Hudson Institute.
In a just-released report (PDF) Prosperity at Risk: The Quantum Computer Threat to the US Financial System, the Hudson Institute said once the technology is developed, the financial sector will be a prime target for quantum attacks.
The Hudson Institute says the financial sector must move quickly to protect itself against such an attack, even though the quantum computing power needed by an adversary may not be available for several years.
“Despite the many benefits that quantum computing is poised to bring to the financial sector, the threat of quantum-enabled cyberattacks and, more specifically, quantum decryption holds the potential to outweigh any gains in computational efficiency and accuracy,” authors Arthur Herman and Alexander Butler wrote.
The positives and negatives of quantum computing
A small group of government-funded labs, industry titans like IBM and Google, have been working on quantum computing for years. Each has steadily increasing the number of cubic bits – or qubits – their supercomputers are capable of processing.
Quantum computing is on track to eventually unleash an exponential leap in computing power, which could potentially be used by adversaries for hacking. Experts believe it will be 5-10 years before quantum computers become capable of processing the number of qubits necessary to break classical encryption algorithms like RSA.
The Hudson Institute report said the financial sector needs to begin preparing now for future quantum attacks.
“The impact of a cascading quantum attack on major banks, the Federal Reserve, or stock exchanges and derivative exchanges could be calamitous for the United States and the global economy. The risk of a catastrophic attack and financial collapse rises to levels that eclipse the 2008–09 crisis or the Great Depression.”
The report focused on an attack that results in a breakdown in the interbank payment system, specifically real-time gross settlement (RTGS) systems such as the Fedwire Funds Service that the U.S. Federal Reserve provides.
“Once a cryptographically relevant quantum computer exists, it could access the Fedwire network and initiate a disruption to payments, cause coordination failures within the system that hinder efforts toward resilience, and ultimately irreparably affect the U.S. economy,” the report said.
The Hudson Institute analyzed the impact such a hack would have on the economy and concluded it would result in a 10 to 17 percent decline in annual real GDP resulting in indirect losses of between $2 trillion and $3.3 trillion.
How a quantum computer attack on Fedwire could unfold
Experts agree that today, the U.S. financial sector is dangerously vulnerable to traditional cyberattacks. Even if it were to reduce that vulnerability, the sector would remain susceptible to attacks by future quantum computers capable of defeating public encryption regimes.
Research by the New York Federal Reserve found an attack on a single large bank could spread to nearly 40 percent of the U.S. financial network.
“The high degree of interconnectivity within the financial sector can augment financial contagion and spread systemic risk,” the Hudson Institute report said.
“Given the role of payment and settlement systems as critical financial market infrastructure, any successful attack against an RTGS system could have extreme consequences. [I]f conditions prevent the settlement of cross-border and domestic transactions between banks operating within the Fedwire RTGS system, a cyberattack could lead to liquidity issues for receiving parties, contract breaches, and payment and obligation failures, among other issues.”
The U.S. financial sector stood out as a prime target for a cyberattack, in terms of both exposure and potential impact, the Hudson Institute said.
“Given their high dependence on technology, numerous network connections, and vital role in the financial system, systematically important RTGS systems—such as Fedwire—are prime targets for malign cyber actors keen on causing maximum damage to the system.”
The potential for systemic risk was demonstrated by the 2017 global NotPetya cyberattack which, despite targeting Ukraine, cost Maersk $1.4 billion in losses.
Steps to protect the finance sector against quantum attacks
Following a multi-year project to identify and vet a handful of new encryption algorithms that can help protect federal computers and systems from hacking threats powered by quantum computing, the National Institute for Standards and Technology last year announced four new algorithms that will underpin its future cryptography standards by 2024.
The Post-Quantum Cryptography (PQC) standards include one algorithm for general encryption purposes (CRYSTALS-Kyber) and another three for digital signatures and identity verification (CRYSTALS-Dilithium, Falcon and Sphincs+).
The Hudson Institute report recommends the Fedwire protect itself from future quantum computer threats adopting the NIST PQC standards and replacing legacy encryption systems. It also recommends Congress set a deadline for all 12 Federal Reserve banks to be quantum-secure.
“If you were having a dispute with the United States in other ways and you wanted to make it more complicated, why not take down the financial system as a distraction?,” said Alex Pollock, a former deputy director of the Treasury Department’s Office of Financial Research in response to the report.
“If you were having a dispute with the United States in other ways and you wanted to make it more complicated, why not take down the financial system as a distraction?”
John Prisco, CEO of Quantum Safe, said urged a multi-pronged strategy to thwart a quantum attack rather than relying on one encryption technology. “Imagine if China had already figured out how to break into CRYSTALS-Kyber. That would be a disaster, but would they tell us? I don’t think so,” he said.